You are absolutely right, thanks for pointing this out. DNSSEC is the best solution to these (and other) vulnerabilities and efforts should be focused on its (correct) adoption (see challenges here: http://eprint.iacr.org/2013/254). However, since partial DNSSEC deployment may introduce new vulnerabilities, e.g., fragmentation-based attacks, the recommendations, that I wrote in an earlier email, can be adopted in the short term to prevent attacks till DNSSEC is fully deployed.
On Sat, Oct 19, 2013 at 5:53 PM, P Vixie <p...@redbarn.org> wrote: > M. Shulman, your summary does not list dnssec as a solution to any of > these vulnerabilities, can you explain why not? Vixie > -- > Sent from my Android phone with K-9 Mail. Please excuse my brevity. -- Haya Shulman Technische Universität Darmstadt**** FB Informatik/EC SPRIDE**** Morewegstr. 30**** 64293 Darmstadt**** Tel. +49 6151 16-75540**** www.ec-spride.de
_______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
